This section looks into some commonly encountered problems that you might experience and how to resolve them.
I see a huge number of "ICMP Unreachable" syslog messages from PIX firewall in my Security Monitor. How can I resolve the problem?
The problem can happen if the PIX is configured to send syslog messages to Security Monitor, but the syslog service on the VMS server that accepts these messages is down. The VMS server sends back an "ICMP Unreachable" message to the PIX. If IDS/IPS is enabled in the PIX firewall, the PIX receives the error message and sends another syslog message to Security Monitor to report the error. The two devices get stuck in an endless loop. So, to work around the problem, execute a no logging message 400011 command so that the PIX does not report the ICMP error messages to Security Monitor. Then troubleshoot the Security Monitor server as follows:
- Check for available disk space.
- Ensure that the PIX sends the syslog messages to the same UDP port that Security Monitor uses to receive messages.
- Be sure that the daemon responsible for syslog is running.
- Be sure that the firewall or the Host IPS is on the Security Server, or that no Firewall in the network is blocking the UDP/514 traffic.
Can Sybase Database be installed and run on a separate computer for tasking like DB Backups?
Yes, you can install the Sybase database for IDS/SecMon on a different mounted drive. RAID disks are a better choice. Everything becomes I/O-bound in high volumes. You can schedule a prune and load the pruned data into another database (Sybase, Oracle, and so on). You can also perform a backup and load the IDS/IPS database into a Sybase installed on a different computer. This requires that you purchase an additional license for Sybase. The Security Monitor application uses the Sybase database shipped with VMS. There is no plugable replacement. To use the data on another database, you must replicate it to that database somehow. You can use the command line tools or any other means to do so.
How can I back up my alert database?
To back up the alert database, go to VPN/Security Management Solutions > Administration > Common Services > Back up Database. This option backs up the idsmdc.db and idsmdc.log files, which include your device and signature settings and all the received alerts.
How can I keep the customization of my columns in the Security Monitor?
Starting from Security Monitor 1.2, which is part of VMS 2.2, you can keep the customization of columns in the Security Monitor. When you have modified the columns, go to Edit > Save Column Set. Then go to Monitor > Events to ensure that the Event Viewer option for Column Set is set to Last Saved.
How do I view the Network Security Database (NSDB) from the Security Monitor?
From within the Event Viewer, click in any cell in the row to highlight the signature you are interested in. Then go to View > Network Security Database, or right-click on the cell and select View NSDB.
Is there a limit to the number of events I can receive through Security Monitor?
There is no configured limit to the number of events the Security Monitor can receive. The maximum suggested rate for received events, such as syslog and IDS/ IPS, is 45 per second, with a burst rate of 500 per second for five minutes.
How do I get the Security Monitor to send me a daily report at a specified time?
Follow these steps to schedule a daily alarm report:
Select the Reports tab.
Choose the report that you want to run, such as IDS/IPS Summary Report.
On the Schedule Report screen, select the Schedule for Later radio button and Repeat Every Day options for the report.
Select the time that you want the report to be generated.
Check the Email Report To: check box and enter the destination e-mail address for the report.
If you want to schedule multiple reports, separate the reports by at least 30 minutes to avoid conflicts.
How can I increase the rather low number (50 events per second) sustained rate for Security Monitor?
The Security Monitor can sustain 500 events per second for several hours. Problems occur when you start doing something to the database at the same time, for example pruning. The default rule is designed to prevent the system from dying after a while. This pruning affects the rates. The author's tests show that the constant event rate forever is approximately 50 events a second. This is because Security Monitor is pruning. If you never prune, the rates are 500 events per second, however the data becomes so unmanageable that it is unusable. The problem is I/O bound. With RAID systems, it is expected that the rates may go up, but there are no guarantees.
Where are the results from the execution of the script sent/presented?
It depends entirely on the script and its arguments. Some scripts output results to a file, and the location of that file is controlled by the argument list of the script. For example, in version 1.x of Security Monitor, the default database rules that are shipped with the product reference the pruneDefault.pl script. This script controls where the output (the archived files) should be stored with the -w option in the arguments list. You can see that the rules are set up to output to this subdirectory: . . .\CSCOpx\MDC\Sybase\DB\IDS\AlertPruneData. You are encouraged to change this location by editing the rule and changing the argument text to point to another location (preferably on another computer). Of course, you can create your own scripts that can place results anywhere. In general, script results are not viewable in the Security Monitor.
When or how can I remove older reports from Security Monitor?
Reports are not automatically removed from the system, but you delete old reports. Select Report > View and select the reports from the table by checking the check box. Then click Delete. The selected reports will be deleted.
How can I develop my own scripts if I am not exposing the data structure?
You will not be able to develop your own scripts that interact directly with the security database. However you can create scripts to interact with Security Monitor database utility programs that Cisco has provided (IdsAlarms.exe, IdsPruning.exe, IdsImportNrLog.exe, and so on). These utility programs provide the capability of export-ing table data to a file, importing data from a file in addition to pruning and archiving.
Can Security Monitor correlate alerts?
Yes, Security Monitor can correlate alerts based on different criteria.
How does Security Monitor treat PIX syslog messages?
PIX can generate two types of syslog messages: IDS/IPS and non-IDS security syslog messages. Security Monitor takes both types. The PIX IDS/IPS messages are stored with all other IDS messages. The non-IDS PIX messages are stored in a more generic security messages table. Viewing and reporting is available for both sets.
I have enabled SSL and when trying to access the event viewer I am getting different kinds of errors. What should I do?
The certificate that you are using is the wrong one. Synchronize the certificates as follows:
Go to VPN/Security Management Solution > Administration > Configuration > Certificate, and change Certificate from Common Services Certificate to CiscoWorks 2000 Certificate.
Exit Internet Explorer (IE).
Then stop and restart the services.
Is it possible to forward an IDS event towards an external syslog server from the Security Monitor?
Yes, you can forward syslog events from Security Monitor to an external Syslog Server.
Where can I download the latest versions and patches for IDS/IPS MC/Security Monitor?
You can download the latest version and patches for IDS/IPS MC/Security Monitor software from the following location with cisco.com login id:
From where can I download the latest signature and service pack updates for IDS/IPSMC/Security Monitor?
You can download them from the following location:
IDS/IPS MC updates Security Monitor automatically if it resides on the same server.
How can I move the database after the installation?
This is not recommended by the author, as the process is complex and there is a chance of application corruption. However, if you really need to move the database from the location where it was installed in the beginning, you can do so by following these steps:
Stop the Cisco Works Daemon Manager. (From Start > Control Panel > Administrative Tools > Services, click on the CiscoWorks Daemon Manager and then on Dtop.)
Locate the file SystemConfig.xml in the three following directories:
In all the three files, change the line containing the <DatabaseFile> to point to the new location.
Move the database files to these new locations: idsmc.db and idsmc.log, which are located in <install-directory>\CSCOpx\MDC\Sybase\Db\IDS.
Start the CiscoWorks Daemon Manager again.
Is it possible to export IDS/IPS Event from VMS to a text file?
There is a way to export IDS/IPS events from a VMS server to XML and text files. This is possible through the CLI utility IdsAlarms.exe. The IdsAlarms.exe utility file is located in the <install_path>/CSCOpx/MDC/bin/ids folder. But it is not possible to export to .cab files.
The generic syntax for this utility is as follows:
IdsAlarms [-f"filename"] [-llevel] [-oformat] [-s"clause"] [-d] [-u] [-p] [-z]
In this, only the first three options are needed for exporting the events.
Example 22-6 shows how to use the IdsAlarms utility.
Example 22-6. Usage of IdsAlarms Utility
!To export all the events from the 3.x devices in NrLog text format, IdsAlarms -f"alarmsave.txt" -ll -on !To export all the events from the database in IDIOM XML format, IdsAlarms -f"alarmsave.txt" -ll oi !To export only the Medium and High severity events from the database in IDIOM format, IdsAlarms -f"alarmsave.txt" -lm oi
Why am I receiving multiple notifications while running prune jobs on the Security Monitor version earlier than 2.0?
The pruning can take several hours to run, depending on the size of the database and some other parameters. The notification for the execution of the script is sent when the script is started, and not when it actually ended. Therefore receiving the notification or seeing the notification message in the Audit Log file does not mean that the script is ended or that the script was successful. If the trigger for the script to run is a specific number of events in the database, since the prune job can be long, it can easily happen that the notification is sent multiple times for the same execution of the same script. This is because the IDS_DbAdminAnalyzer checks every half hour whether the conditions for a rule have been met. If the number of events in the database has not yet been reduced to a value that is under the trigger number, the script will be started again (even though it will fail when running since there is another script already running).